1. Field of the Invention
Embodiments of the present invention generally relate to computer security systems and, more particularly, to a method and apparatus for managing an alert level for notifying a user as to threats to a computer.
2. Description of the Related Art
Widespread use of data networks by small to large enterprises has resulted in an increase in computer system attacks by various malicious software programs (e.g., viruses, Trojan horses, worms and the like). Such malicious software programs may be transmitted (e.g., downloaded) to a computer system as an executable program, as an email attachment, as malicious HTML code on a web page, etc. For example, a particular malicious software program may be executed on a user computer in order to damage expensive computer hardware, destroy valuable data, consume limited computing resources and/or compromise sensitive information.
Various security software programs (e.g., anti-virus, anti-spyware, anti-phishing software programs) are often employed to detect the malicious software programs and prevent problems caused by the execution of such malicious software programs. The various security software programs may monitor a computer system for activities and/or code signatures associated with the malicious software programs and trigger an alert or provide various remedial measures, such as quarantining, repairing or deleting infected files.
The various security software programs currently utilize a wide range of techniques to detect and remove the malicious software programs from the infected computer systems. For example, a security software program may perform signature validation. As another example, the security software program may employ behavior blocking where a number of processes being executed on the computer systems are monitored in order to determine bad or suspicious behavior by any of the processes. Upon detection of any bad or suspicious behavior, the security software program may trigger an alert.
Nonetheless, bad or suspicious behavior does not necessary imply the existence of the malicious software programs. As such, the alerts triggered by this detecting technique may often misdiagnose non-malicious codes as malicious codes which results in generation of false positives. As such, an increase in a number of the alerts triggered by the security software program may increase a number of the false positives. Further, the false positives may trigger unwarranted remedial measures. For example, the false positives may result in temporary deactivation of critical computer resources, which can further be very costly.
Furthermore, the security software programs employ a conservative approach to notify the user of suspicious behavior where a rate of alerts is directly proportional to an increase in a number of false positives. In other words, as the number of alerts sent to the user increases, the number of false positives also increases. As such, the security software programs do not report certain suspicious behavior in order to reduce the number of false positives at the expense of genuine threats to the computer.
In addition, a subscription service (e.g., SYMANTEC LiveUpdate) may update a security software program to protect the computer systems from new malicious software programs. For example, the security software program may download new signatures for detecting the new malicious software programs. Unfortunately, a considerable amount of time is required to create the new signatures. As a result, the update of the security software program may be delayed due to an amount of time required to find solutions to the new malicious software programs.
Therefore, there is a need in the art, for a method and apparatus for managing an alert level for notifying a user as to threats to a computer from malicious software programs (e.g., a virus outbreak) or due to vulnerabilities associated with the computing environment.